ProHoster > Blog > Pulega > Otometi o Let's Encrypt SSL pulega tusi faamaonia e faaaoga ai le DNS-01 luitau ma le AWS
Otometi o Let's Encrypt SSL pulega tusi faamaonia e faaaoga ai le DNS-01 luitau ma le AWS
O le pou o loʻo faʻamatalaina laasaga e faʻaautomatika ai le puleaina o tusi faamaonia SSL mai Tatou fa'ailoga CA faʻaaogaina DNS-01 lu'i и AWS.
acme-dns-auala53 o se meafaigaluega e mafai ai ona tatou faʻatinoina lenei vaega. E mafai ona galue faʻatasi ma tusi faamaonia SSL mai Let's Encrypt, faʻasaoina i latou i le Amazon Certificate Manager, faʻaaoga le Route53 API e faʻatino ai le luʻitau DNS-01, ma, mulimuli ane, tulei faʻamatalaga i SNS. IN acme-dns-auala53 O loʻo iai foʻi galuega faʻaoga mo le faʻaaogaina i totonu o le AWS Lambda, ma o le mea lea matou te manaʻomia.
Ua vaevaeina lenei tusiga i vaega e 4:
fatuina o se faila zip;
faia o se matafaioi IAM;
fatuina o se galuega lambda e tamoʻe acme-dns-auala53;
fatuina o se taimi CloudWatch e fa'aosoina ai se galuega 2 taimi i le aso;
Manatua: Ae e te leʻi amataina e tatau ona e faʻapipiʻi GoLang 1.9+ и AWS CLI
Fausia se faila zip
acme-dns-route53 o loʻo tusia i GoLang ma lagolagoina le faʻasologa e le maualalo ifo i le 1.9.
Matou te manaʻomia le fatuina o se faila zip ma se binary acme-dns-route53 totonu. Ina ia faia lenei mea e tatau ona e faʻapipiʻi acme-dns-route53 mai GitHub faleoloa faʻaaoga le poloaiga go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53
Ua fa'apipi'i le binary i totonu $GOPATH/bin fa'atonuga. Faamolemole ia matau i le taimi o le faʻapipiʻiina na matou faʻamaonia ni suiga se lua: GOOS=linux и GOARCH=amd64. Latou te faʻamalamalama manino i le Go compiler e manaʻomia le fatuina o se binary talafeagai mo le Linux OS ma le amd64 architecture - o le mea lea e alu i luga o le AWS.
O loʻo faʻamoemoeina e le AWS la tatou polokalame e faʻapipiʻi i se faila zip, o lea tatou fatuina acme-dns-route53.zip archive lea o le a aofia ai le binary fou faʻapipiʻi:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53
Manatua: O le binary e tatau ona i totonu o le aʻa o le zip archive. Mo lenei mea matou te faʻaaogaina -j fu'a.
O lea la ua sauni le matou igoa fa'ailoga zip mo le fa'atinoina, pau lava le mea e totoe o le faia lea o se matafaioi ma aia tatau.
Fausia se matafaioi IAM
Matou te manaʻomia le faʻatulagaina o se matafaioi IAM ma aia tatau e manaʻomia e le matou lambda i le taimi o lona faʻatinoga.
Se'i ta'ua lea faiga faavae lambda-acme-dns-route53-executor ma tuu atu loa ia te ia se matafaioi faavae AWSLambdaBasicExecutionRole. Ole mea lea ole a fa'ataga ai a tatou lambda e tamo'e ma tusi ogalaau ile auaunaga AWS CloudWatch.
Muamua, matou te fatuina se faila JSON e faʻamatalaina a matou aia tatau. Ole mea lea ole a fa'ataga ai lambda auaunaga e fa'aoga le matafaioi lambda-acme-dns-route53-executor:
Sei o tatou tamo'e le poloaiga aws iam create-role faia se matafaioi:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json
Manatua: manatua le faiga faʻavae ARN (Amazon Resource Name) - matou te manaʻomia i isi laasaga.
Matafaioi lambda-acme-dns-route53-executor faia, o lea e tatau ona tatou faʻamaonia faʻatagaga mo ia. O le auala pito sili ona faigofie e fai ai lenei mea o le faʻaaogaina lea o le poloaiga aws iam attach-role-policy, pasia tulafono ARN AWSLambdaBasicExecutionRole e pei ona taʻua i lalo:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Manatua: e mafai ona maua se lisi ma isi faiga fa'avae iinei.
Fausia se galuega lambda e tamoʻe acme-dns-auala53
Talofa! O lea e mafai ona e faʻaogaina la matou galuega i le AWS e faʻaaoga ai le poloaiga aws lambda create-function. O le lambda e tatau ona faʻatulagaina e faʻaaoga ai suiga ole siosiomaga nei:
AWS_LAMBDA - fa'amalamalama manino acme-dns-auala53 o lena faʻasalaga e tupu i totonu o le AWS Lambda.
DOMAINS — o se lisi o vaega e tuueseeseina i koma.